A funny thing happened when Charles Williams e-mailed his accountant recently. His messages bounced back like basketballs.
Williams, a Lutherville investment banker, eventually learned there was nothing wrong with his computer. He had become an unsuspecting victim in a guerrilla war against spam - and of a tactic that became notorious during the 1950s.
He had been blacklisted. Or, rather, the Internet address of the server that handles his company's e-mail had been placed on two spammer lists created by volunteers trying to dam the flood of pornography pitches, pyramid schemes, chain letters and loan offers that now make up at least one-third of the Internet's mail traffic.
While critics say the anti-spammers have a point, there's a growing feeling that their methods have become too draconian and wound too many innocent victims such as Williams.
Here's how it works: The list operators, volunteers who sometimes keep their identities secret, maintain Web sites that contain the Internet addresses of e-mail servers that are used to transmit spam.
While some blacklists use very specific criteria to target individual mailers, others cast a wider net. They sometimes target an entire range of IP addresses offered by Internet service providers who may allow their systems to be used by mass e-mailers, even inadvertently.
The system works because many other ISPs, corporate and even a few government e-mail administrators direct their incoming mail servers to reject any messages from the blacklisted addresses.
In Williams' case, the company that provided his address, Qwest Communications, has had several of its IP addresses appear on blacklists. As a result, customers like Williams have been affected, even though they're not spammers.
That's just what some anti-spammers want. They operate under the theory that innocent customers whose e-mail gets bounced will scream loudly enough to pressure their ISPs to crack down on spammers.
Williams, for example, has never sent spam from his Internet address, nor is there any indication that the specific address that came with his Qwest Communications DSL line was ever used for that purpose. But his address falls within the blacklisted range.
John Mozena, co-founder and vice president of the Coalition Against Unsolicited Commercial E-mail, said his Internet-based nonprofit organization has warned that these sorts of problems would spring up without national anti-spam laws.
Mike Sasso, owner of MeTaData Inc. in College Park, performs technical consulting for Williams and said he has found the experience exasperating. He tried to contact SPEWS.com, which created one of the blacklists on which Williams' IP address is listed. Eventually, he managed to reach Carl Byington, of Lake Arrowhead, Calif., who created his own list.
Byington, reached this week, said that he maintains a list of servers whose e-mail his system refuses but that he doesn't recommend anyone else use his blacklist. He said he rejects e-mail from Qwest-issued IP addresses because the company has failed to curtail spam coming from its system.
James Nash of Innovative Exchange, the Harford County ISP that provides Williams' accountant's address, said his system doesn't use third-party blacklists but instead has a subscription service that filters e-mail.
Sasso said he examined the headers of Williams' bounced e-mail and found evidence that it was rejected somewhere in the process because his IP address appeared on a blacklist available at Relays.Osirusoft.Com.
"There needs to be a public discussion of what's happening," a frustrated Sasso said.
The blacklists have raised hackles since they first became popular three years ago. The Federal Trade Commission has come under fire for testing spam filtering with third-party blacklists since August.
"What we have is an arbitrary and unverified list of addresses, from which people aren't permitted to communicate with a government agency," said Lee Tien, a senior staff attorney for the Electronic Frontier Foundation. "If the federal government is using this kind of list, there ought to be some sort of accountability."
FTC spokesman Stephen Warren said the agency's counsel advised that e-mail messages bounced back to users on a blacklist should offer alternatives to reaching the FTC, such as the agency's mailing address and telephone number, so that people can communicate with the agency.
In the private sector, owners of banned addresses have accused the blacklisters of restraint of trade and libel.
Mail Abuse Prevention System (mail-abuse.com), which created one of the original blacklists, has been sued often but its original approach to spam was more educational than combative, said Mozena.
"MAPS would go to the company, write them, call them, e-mail them and say, 'Look, you've got problems, here is our evidence, here are some fixes,' " he said. "Only when someone didn't respond to that did they go on the blacklist."
Today, Mozena said, blacklist creators may slap an address onto a list without trying to help the ISP resolve it - although he points out that some ISPs fail to stop spammers because they're paying customers.
Qwest Communications spokeswoman Silvia McLachlan said the company will terminate service to people who violate its acceptable-use policy - which forbids spamming.
She said there was little the company could do to protect people with Qwest-issued IP addresses who end up on blacklists except to contact the blacklist creators and ask that the IP addresses be removed.
Getting off the SPEWS.org blacklist took nearly two months for Stan Osterbauer of the Information Technology Department of Clallam County, Wash. In the fall, the rural county's servers inadvertently accepted and relayed spam for only four hours, he said, but it was enough to get on the SPEWS blacklist. Soon, county officials, including the sheriff, were having e-mail bounced.
"Of course, there was no way to get in touch with SPEWS, so I went on [an anti-spam] newsgroup," Osterbauer recalled. "I started getting all kinds of vicious attacks saying, 'How dare you have an open relay?'"
No one from SPEWS contacted Osterbauer, although he says his posts must have reached someone.
"We finally did get off as of 1 p.m. yesterday," Osterbauer said Tuesday.